December 8, 2013

The BOUNDLESSINFORMANT interface

(Updated: January 3, 2014)

A previous article on this website showed that the charts in the NSA's BOUNDLESSINFORMANT tool are not so easy to interpret as it may seem. Screenshots from this tool were published by a number of European newspapers saying that they are proving that NSA is intercepting phonecalls from these countries. This article will show and examine a new image which literally provides context to these screenshots.

In a less known follow-up article from November 4 on the website of the spanish paper El Mundo there are four slides from a powerpoint presentation about BOUNDLESSINFORMANT. Three of the slides were published earlier, but the fourth one was never shown before. This new slide shows a screenshot of an Internet Explorer browser window with the BOUNDLESSINFORMANT tool in it:

For the first time, this screenshot reveals what the actual BOUNDLESSINFORMANT interface looks like. It shows that the bar charts and the details below it, as published by the newspapers, appear in a pop-up window above the world map of the global overview.

The global overview window

The presentation slide shows that the main screen of this tool is the global overview, which was initially published by The Guardian in June and later by some other media too. Here's a high resolution version of this screen (click for a bigger version):

On the left side we see the overall numbers for DNI (internet), DNR (telephony), SIGADs, Case Notations and Processing Systems for the last 30 days. This time period can be changed, probably by using the slide button underneath this list, next to the dark grey box. It seems that 30 days is its maximum. In the slide screenshot this time period is 7 days, which can be seen in the pop-up window and explains the smaller numbers in the list at the left side of the map.

The lower part of the screen shows a Top 5 of countries and their total numbers of DNI and DNR records. These total amounts of data can be sorted in three different ways: Aggregate, DNI and DNR, which can be selected with the radio buttons above the map. Each option results in a slightly different top 5 of countries, which is also reflected in the colors of the heat map. These three versions were published by the Indian paper The Hindu last September.

Next to these radio buttons is a search box with a button named "Country View", which is maybe for entering a country name. Finally, there are two buttons in the upper right corner to switch between the two main viewing modes of this tool:

- The Map View, which "allows users to select a country on a map and view the metadata volume and select details about the collection against that country".

- The Org View, which "allows users to view high level metrics by organization [NSA divisions] and then drill down to a more actionable level - down to the program and cover term".

According to a Frequently Asked Questions (FAQ) paper for BOUNDLESSINFORMANT from June 2012, this tool can graphically display information about collected metadata in a map view, bar chart and simple table. The map view can be seen in the main window with the global overview, the bar charts appear in a pop-up window. How the simple table view looks like is not known.

The Map View pop-up window

In the Map View, users can click on a country from the world map and then a pop-up window appears. According to the BOUNDLESSINFORMANT FAQ paper this window shows "the collection posture (record counts, type of collection, and contributing SIGADS or sites) against that particular country in addition to providing a graphical display of record count trends". These elements are in the screenshot of this window:

Unfortunately the resolution of the slide is too low to make everything readably, but still we can see that in this screen there's a lot more than in the images which were published by the various newspapers. For comparison, here's the screenshot that was shown in Norwegian media (click for a bigger version):

Comparing these two screenshots reveal that the images shown in the papers are just a part of the actual pop-up window. We recognize the four sections with the different charts, but there are also some minor differences. The slightly different layout may have been caused by the different time period: 30 days gives in a much wider bar chart than 7 days.

Apart from that, we see that in the screenshots from the newspapers the whole frame is missing. The example from the presentation has "SIGAD" with a symbol next to it in the upper left corner, but we don't know if that's standard, or that it indicates a specific view mode.

Below this are a search box and a scroll box with a relatively long list of options - unfortunately impossible to read, but it's not a list of SIGADs. The display section has two tabs, the active one white, the other one black, indicating that there are apparently two main options for presenting the information.

Left of the bar chart there's a section that could be titled "Active Summary" and seems to contain symbols and headers very similar to those below the bar chart. Probably one can select different kinds of details about the data collection to be shown. The images from the papers have "Top 5 Techs" in the lower section at the right side, but in the pop-up example something different is shown, ineligble again.

Another small difference is in the "Signal Profile" section: the pop-up screen shows four different types of communication systems (maybe DNI, DNR and two others), but the screenshots from the papers have seven. As the presentation is from July 2012 and the images in the papers are from early 2013, maybe during that period more options were added to the tool.

Screenshot from a Brazilian television report, showing some files opened in a TrueCrypt window on the laptop of Glenn Greenwald. In the upper left corner we see an unpublished screenshot from BOUNDLESSINFORMANT with three bar chart sections, apparently about Computer Network Exploitation (CNE), which is computer hacking by the TAO division
(click to enlarge)

Multiple options

All this shows that in the Map View alone there are more options to select than just clicking a country and getting one standard overview of NSA's collection against that country - that's how Glenn Greenwald and the newspapers brought it.

The fact that there are more ways to select and present the information already became clear by analysing the screenshots published by the papers. For at least five countries (France, Spain, Norway, Afghanistan and Italy) the charts only show one technique, DRTBOX.

If NSA really spies on these countries, it's unlikely they use only one system and collect only telephone (meta)data. Therefore, it seems more as if in this case DRTBOX was used as the primary selector, resulting in charts showing how many data this system processed from different SIGADs and different countries.

A more complete overview of data collection against a country is given by the screenshot for Germany, which shows multiple systems collecting both internet and telephone data. Also interesting to see is that there are not only such charts about countries, but also about collection programs like WINDSTOP (which could be from the 'Org View' mode).

Conclusion

Now that we have a picture of the complete BOUNDLESSINFORMANT interface, we've seen that this tool has many options to present information about NSA's (meta)data collection.

The screenshots published in various European newspapers were cut out from their original pop-up windows, which makes that we are missing their context. We can't see what options there were and which selections were made to present the information as we see it.

We don't know who cut out the charts: was it Edward Snowden, or someone else at NSA (for preparing a presentation), or was it Glenn Greenwald? These questions are of some importance, because these screenshots are used as evidence for rather grave accusations.

Until now, neither Glenn Greenwald, nor editors of some of the involved newspapers were willing to answer any questions about the origins of these screenshots. Instead, Greenwald still sticks to his own initial interpretation and lets papers publish that over and over.

3 comments:

"Now that we have a picture of the complete BOUNDLESSINFORMANT interface, we've seen that this tool has many options to present information about NSA's (meta)data collection."

I don't think this is the complete picture. I think there's lots more.

For one, I have reason to believe that the chart published in El Mundo doesn't represent the same version of the tool as the other screencaps.

Let me tell what I can discern. (some of the same things as you have)

The version in the FAQ is a web interface: shown here is Internet Explorer 7 running on XP. This more than anything screams "information herein is dated!" It also screams "Security risk!"

SIGAD frame: this is a searchable listbox. I think it is indeed a list of SIGADS. followed in most cases by a coverterm. Need better image.

Collection information Frame:

Contains two tabs, we only see 1.

On the Visible subframe we have a number of widgets:

"Active[?] Summary" - it's not clear whether the number of sub items is static or dynamic. There appears to be up and down arrow icons next to these. Perhaps a trend indicator.

A graph - "Total Collection - Last 7 Days" The probable scale 30 million in Increments of 5 million. In this graph the tops of two bars are labeled with something other than a date. In the main Map view we see a slider controlling the view, the maximum is last 30 days, but it would appear last 7 is also an option. Either that or the capture was made when last 7 was really the technical limit.

Signal Profile -- In this version, we have 4 different types, in the other we have 7. In this version, we also have a subtitle of some kind.

Most volume -- this is also formatted differently than the graphs. the top bar is not a sigad and has a star and arrow icon next to it.

NSA Leaders- this would appear to correspond to "top 5 techs", also something different about the first line, it's not a bar graph like the others

Top 5 techs vs NSA Leaders, a difference in language, but the same information. Except again we have a difference in the format of the top bar.

As for who cut the images, It wasn't Greenwald. It's really too much work, and I don't think he has the appropriate skillset The image in the FAQ is a presentation, so that eliminates Snowden from that one.

Snowden described himself as an Infrastructure Analyst in his 12 minute video. (previously a system administrator). He therefore would have had the opportunity to use this tool. And therefor grab screenshots from his own workstation. However he was also an exceptionally skilled hacker, who grabbed stuff that may have been well beyond his clearance.

I think the latter, someone else made them a presentation, here's why:

In a few cases, we get the pages original PDFs, this happened in LeMONDE and also accounts for the split you see on the El Mundo low-res graph (within these PDFs internally, there are two images making the chart). El Mundo extracted the images from the PDF and pasted them together, poorly.

And now for Opinion:

About Greenwald, I don't think him lying, I think him correct in the main, but mistaken on some points, and rather stubborn, and also hasty. The desire to generate articles quickly may be compromising quality. (mystifying CBC redacts, for example. I don't know if that was him or the CBC... but damnit) I want him to step up his game and release some additional supporting documents, it's now 6 months in. He should be willing to refine his analysis based on additional evidence. He's gotten a bit better, but so have the questions. I also get a sense that he wants to release more. But may be prevented by overcautious editors.

Thank you for your message. I don't want to accuse Greenwald of lying, but I think he should stick to the facts, for the sake of his own credibility. Now we see too often exaggerated claims in the papers, which are not fully backed by the documents.

Some other points:

Many people wonder about the US government agencies using rather insecure Windows systems, but these are in fact secure versions of the Windows operating system, not those used by ordinary customers.

Of course it's possible that in the presentation slide there's an earlier version of the BOUNDLESSINFORMANT tool, which could also explain some of the differences, like in the layout.

Nice catch on that 4th Spanish slide and three cheers for the additional analysis above.

I'm thinking the journalists cannot open menus etc in B'informant because they don't have the software nor or derived record summary database (derived from the multi-trillion record main databases) that B'informant draws on to make its displays.

So when you see something open and covering the main B'informant page, it's because someone made a screenshot for a ppt presentation. Snowden seemed to have attended a lot of these and likely NSA kept them around as tutorials. They would have been relatively safe downloads from his perspective -- if caught, just new guy learning job. That's what tutorials are for.

I don't think newspapers are taking screenshots of popups. More likely, there is a stack of full page B'informant 'printouts', one for each country of interest, maybe convenient archive for top guys, maybe made by Snowden with disclosure in mind.

We could test this -- document forensics -- by looking at the slides to see if they had to be dithered up (or not) to get them to the size shown.

I'm wondering if Snowden took any operational software application code with him.

The thing that would make the most sense is malware -- so other countries could defend themselves against inserted malware via checks provided by anti-viral companies, for example Kapersky Labs is very good at this, if they have sample code.

He could also have taken front-end desktop portals like B'informant. It would not be hard to make small faux databases that could drive simulated displays. Then people could play with all the menu options. However this would have to be fairly low down in priorities.

US Red Phones

Sequence of the real Red Phones, not for the Washington-Moscow Hotline, but for the US Defense Red Switch Network (DRSN). The phones shown here were in use from the early eighties up to the present day and most of them were made by Electrospace Systems Inc. They will be discussed on this weblog later.

Contact

For questions, suggestions and other remarks about this weblog in general or any related issues, please use the following e-mail address: info (at) electrospaces.net

For sending an encrypted e-mail message, you can use the PGP Public Key under this ID: B4515E04

You can also communicate through Twitter: @electrospaces or XMPP/Jabber chat by using the address electrospaces (at) jabber.de

The title picture of this weblog shows the watch floor of the NSA's National Security Operations Center (NSOC) in 2006. The URL of this weblog recalls Electrospace Systems Inc., the company which made most of the top level communications equipment for the US Government. All information on this weblog is obtained from unclassified or publicly available sources.QW5kIGZpbmFsbHksIHRoaXMgaXMgd2hhdCBhIHRleHQgbG9va3MgbGlrZSwgd2hlbiBpdCdzIG9ubHkgZW5jb2RlZCB3aXRoIHRoZSBzdGFuZGFyZCBCYXNlNjQgc3lzdGVtLiBHdWVzcyBob3cgY29tcGxpY2F0ZWQgaXQgbXVzdCBiZSB3aGVuIGEgcmVhbCBzdHJvbmcgYWxnb3JpdGhtIHdhcyB1c2VkLg==